How to generate and auto-renew custom CA certificates in Kubernete

8/7/2018

I have a Kubernetes cluster (1.10) which I am going to use for a few applications which will need to talk to a message broker also deployed in the same cluster.

I would like to configure the broker to only accept x509 certificates from a specific, self signed CA and as a security measure I would like to have the client certificate needed for each pod to communicate with the broker to be generated upon deployment of said pod and also renewal of said certificate (along with restart of the service) to be automated.

I can see that Kubernetes has a certificates endpoint but I cannot find any documentation on how to go about using it that way.

What would be the best option to go about something like this? I know that certain applications like Istio have this feature built-in but in this case I need something that would work with my own custom self-signed CA allowing me to use the certificates as I see fit.

Do I need to develop an operator for this or maybe someone has already done something similar? Maybe I am going about this the wrong way?

-- Alexandre Thenorio
client-certificates
kubernetes
pki
x509

1 Answer

8/8/2018

I would suggest looking into https://istio.io/ which can provide mutual tls for services deployed within the cluster without the need to develop it on app side.

-- Radek 'Goblin' Pieczonka
Source: StackOverflow